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1. INTRODUCTION 

Competency, skills, and qualifications for a certain craft are demonstrated by acquiring 
certifications. These documents act as your credentials and are considered by employers when hiring for 
personnel. But recently, people get involved in the creation of fraudulent academic credentials therefore its 
prevalence [1]. Verification of these documents is quite challenging because they cannot be traced as quickly 
and accurately [2]. Thus, a system is needed to inspect the authenticity and validity of such document 
certification rapidly and precisely [3]. 

Due to the rise in the usage of smartphones with cameras combined with the ease of scanning a 
quick response (QR) code using this device, studies have explored the use of QR codes as a cheap alternative 
to other tag-based systems [4]. QR codes have been used for authentication on printed documents for fraud 
identification. One study tried embedding watermark objects with QR codes to determine printed document 
validity but challenges were identified such as the preparation of validation links, watermark image (logo) 
configuration, and size restriction [5], [6] making the embedding of an image in QR unattractive. Others have 
embedded a blockchain technology pattern into a QR code for authentication [7] and encrypted lossless 
compression [8], but failed to incorporate hashing in their verification thus neglecting to consider the data 
integrity of the data being transmitted. One study analyzes the impact of blockchain on academic certificates 
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and has seen its advantage [9], [10] but on the other hand, others find it complicated, challenging, and costly 
therefore recommended to be better suited for financial and other sectors where mining is present [11]. 

Several studies successfully created verification apps using QR. One constructed a mobile app for 
securing issued degree documents which encrypts students’ information from the database and saved it on a 
server, afterward creating a QR code to be printed on the document which is then used for validation 
purposes [12]. Another study combines QR codes, digital signatures, and hashing, in a smartphone 
application [13]. On the other hand, one study was able to integrate secured communication via transport 
layer security and hashing [14]. Another also developed an android application that used QR codes in the 
identification of objects along with hash [15]. However, for all studies the QR code can only be read using 
the created mobile application which is a hassle because it needs to be installed separately. 

Hashing has been proven to ensure data integrity, so its wide usage has been evident. In one study, a 
hash function was used to create an efficient way to secure the personally identifiable information (PII) of a 
user in a QR code which is good because data integrity is assured but the disadvantage is that secure hash 
algorithm 1 (SHA-1) was used as the hashing algorithm and is already known to be weak [16]. Blockchain 
was successfully integrated with QR in one more study but failed to add additional security on transit [17]. 
Previous research applied QR code technology in verifying the authenticity of documents using a web 
application that doesn’t require additional installation on the part of the user [18] but failed to consider data 
security by transmitting data in plaintext and thus is prone to hacking. To address this data security weakness, 
other studies make use of encryption schemes for security [19]-[21] against hacking. 

The contribution of this paper is the improvement in the design and development of a document 
integrity verification using QR code by incorporating modified SHA-1, a better hashing algorithm than the 
weak SHA-1 to emphasize data integrity, and inclusion of modified blowfish encryption algorithm, a modern 
algorithm to encrypt the confidential data embedded as QR code in the document as the security measure. 
Both data integrity and data confidentiality are assured by incorporating both hashing and encryption. The 
software does not need to be installed separately unlike in previous studies and can be used on both Android 
and Apple smartphones to verify certificates. The app will make use of the phone's embedded camera. The 
specific objectives of this study are to: i) develop a more secured document integrity verification software 
using QR code with modified SHA-1 for hashing and integration of modified blowfish algorithm for 
encryption, ii) evaluate the acceptability of the developed software via use case tests, and iii) analyze the 
performance of the system in verifying documents by computing the error rate during the alpha testing. 


2. METHOD 
2.1. Research design 

This study utilizes the design and development approach. The software was created in Visual Studio 
Community Edition in an Intel(R) Core (TM) i5-10210U processor with CPU @1.60GHz 2.11 GHz and 8.00 
GB RAM running Windows 10 Pro. The web server must run on internet information services (IIS) version 
10.0.19401.1. The developers applied the rapid application development (RAD) software development 
methodology. The process flow of the study is shown in Figure 1. The document integrity verification is 
subdivided into three sections: hashing, encryption and generation of QR code, certificate management, and 
certificate verification. 


Document Integrity Verification Using QR Code with Modified SHA-1 and Modified Blowfish Algorithm 


Hashing, Encryption and Generation of QR Code Certificate Management 


Embedding of QR Code on 
AEE EEA A ATOE. certificate template 


| Ei l 


Hashing using Modified SHA-1 Printed Certificates with QR 


¥ 
Encryption using Modified 
Blowfish Algorithm 


Y 
Generation of QR Code from 


Encrypted Hash Value Certificate Verification 


p------------- N..------------) Scanning of Encrypted QR Code | 
QR Code ' on certificate template | 


Figure 1. The process flow of the document integrity verification 
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In the hashing, encryption, and generation of QR Code section, first, the system administrator inputs 
the unique certificate identification (ID) of the document and message M which is equivalent to the name to 
which the document belongs. Then, the modified SHA-1 was applied to ID and message M to produce 192 
bits hash value which is then saved to the database. Then, the modified blowfish algorithm (MBA) 
encryption will encrypt the hash and message M. After that, the QR code generator generates the QR code 
from the encrypted hash value. The QR code generated was to be printed on the documents. 

In the certificate management section, the list of names, created QR codes, and images for the 
design of the document that will act as the certificate template, must be provided before the printing of the 
certificate commences. The documents were set using letter-size (8.5”x11”) paper. The arrangement such as 
the draft of the background, location of the name, and QR code position in the certificate template is done on 
the developed windows application. Once done, the QR code is now embedded in the certificate template and 
can now be printed based on the list of names provided. 

In the certificate verification section, after printing, anybody who wants to verify the document must 
use their smartphone with a camera to scan the QR. The operating system of the phone does not matter, it 
only requires a camera. However, the user’s smartphone wireless fidelity (Wi-Fi) should be connected to the 
same network as that of the server. After capturing the QR code using the smartphone camera, the verify 
button needs to be clicked to let the web application send the encrypted hash value to the web server for data 
integrity verification. The server receives the information stored in the QR code, decrypts the code, and then 
it will search if the hash value exists in the database. If the hash value is found, the system retrieves the 
unique certificate ID of the document from the database. The system verifies if the generated encrypted hash 
value is the same as that saved on the server. If the values are equal, that means it is successfully verified, 
therefore the message is said to be authentic. If the hash does not exist in the server, the QR code message M 
was modified. The verification system prompts the message fetch from the server for visual assessment and 
compared the information from the printed document. 


2.2. Use case testing 

The study adopted alpha testing and will make use of sample documents (certifications) as the 
source of input. It will take note of message M (name on the document) and document ID to generate the 
hash value using modified SHA-1. Next, the generated hash will be encrypted using the modified blowfish 
algorithm, sent to the server, and decrypted when necessary. 

The software is to be tested to validate as per compliance with customer requirements and will make 
use of the blackbox testing technique specifically the use case testing type [22]. This testing was selected to 
check if all parts of the system are working as intended and are acceptable to the user for quicker test case 
development, even without the knowledge or access to the code. The target of evaluation is categorized into 
login, hashing, encryption and decryption, QR code generation, certificate management, and certificate 
verification as reflected in Table 1. The test case objectives were also stated as well as the equivalent 
functional requirement. These test cases will be checked against their expected result and will be marked 
passed or failed depending on the behavior of the software. 


Table 1. Test cases 


Test case Test case objective Functional requirement 
Login Module Test the login functionality with different Users shall be able to login into the system using the 
sets of data correct username and password credentials 
Hashing Test the hashing module using different The system shall be able to generate a hash value using 
Module certificate ID and message (name) the Modified SHA-1 algorithm out of the certificate ID 
and message (name). 
Encryption Test if a series of hash values can be The system shall be able to encrypt the generated hash 
and encrypted and decrypted without errors value using the Modified Blowfish algorithm before 
Decryption transmitting and decrypting upon saving on the server 
Module 
QR Code Test if QR codes are correctly generated The system must be able to generate the QR code from 
Generation from sets of encrypted hash values the encrypted hash value 
Module 
Certificate Test that QR codes can be placed on The user must be able to embed the QR code in the 
Management certificate templates and can be printed certificate template. 
Module The user must be able to print the certificates with the 
attached QR Code 
Certificate Test if printed certificates display the The user must be able to verify the authenticity of the 
Verification correct message (name) on printed certificate using the QR code 
Module certificates 
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2.3. Performance analysis 

After the test case evaluation of the use cases, the error rate will be analyzed and tested using thirty 
(30) documents with correct entries. Names were generated using a name test data generator tool [23]. 
The formula for error rate and accuracy will be computed as (1)-(2). 


lobserved value—actual value| 
Error rate = 


x 100 a) 


actual value 


Accuracy = 100% — Error rate (2) 


3. RESULTS AND DISCUSSION 

In this section, it is explained the results of research and at the same time is given 
the comprehensive discussion. Results can be presented in figures, graphs, tables and others that make 
the reader understand easily [24], [25]. The discussion can be made in several sub-sections. 


3.1. Development of the document integrity verification using QR code with modified SHA-1 and 
modified blowfish 

Before the user can access the system, a login form is created. To verify the authenticity of the user, 
only authorized username and password credentials are allowed. Figure 2 shows the login screen. Figure 3 
demonstrates the creation of the hash value using the certificate ID and the message. The message to be 
embedded in the QR code is the name of the student to which the certificate belongs. A modified SHA-1 
algorithm [26] was applied to create the hash value. After the hash value is created, the hash will be 
encrypted using modified blowfish algorithm [27] for added security during the transmission of data to the 
server. This will ensure the safe passage of data that will prevent hacking. After encryption, the QR code will 
now be generated as shown. 


Login x 
Document Integrity Verification using 
QRCODE with modified SHA-1 and 


modified Blowfish 
User name 


l 


Password 


OK Cancel 


Connect. 


Figure 2. Login screen 


Hashing, Encryption and QR Code generation 
Date created: Wednesday, 9 March 2022 
Certificate ID: CCS030922 


Message: Juan DelaCruz 


Create hash value, encryption and generale QR 
CODE 


Hash Value 


Encrypted value 


Generated QRCODE 


Settings and Printing 
Certificate design Printing of Certificate 


Figure 3. Hashing, encryption, and QR code generation 
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Republic of the Philippines 
TARLACSTATE UNIVERSITY 
Romulo Boulevard, San Vicente, Tarlac City 


This 
CERTIFICATE OF PARTICIPATION 


is hereby awarded to 
Juan DelaCruz 
For actively participating in the 4-hour webinar on “Positive 


Psychology: Managing Stress During the Pandemic and Achieving 
Mental Health” held on June 22, 2021 via Zoom 


Given this 22™ day of June 2021 at Tarlac State University. 


Figure 4. Certificate template with encrypted QR code 


Figure 4 shows a sample certificate template where the encrypted QR code was embedded. This 
certificate may be printed and contains different QR codes from the Certificate ID and names of all attendees 
of seminars or conferences. Figure 5 displays how the user will see the QR code when viewed on a cellphone 
camera. The IP address of the server will be displayed and will be directed to the certificate verification 
module. 


Figure 5. QR code as seen on cellphone camera 


Figure 6 illustrates a sample verification message where the name of the holder of the certificate is 
displayed. This will then be counter-verified to the name listed on the printed certificate. If the names 
matched, the certificate is said to be untampered and valid. 
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This certificate belongs to:Juan DelaCruz 


Figure 6. Certificate verification 
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Table 2 displays the test case created for the login module. Four (4) test data were used, and a 
sample screenshot was inserted to show the result of the test. The module behaves as expected therefore the 
login module passed the use case test. Table 3 shows the test case created for the Hashing Module. Three (3) 
sets of certificate ID and name combinations were used. Sample screenshots were attached to show the result 


of the hashing. 


Table 2. Login module test case 


Test case objective Test data Expected result Actual Sample screenshot Remarks 
result 
Test the login . Valid username Users shall be able Same Passed 
functionality with and password to login 
different sets of data successfully 
. A valid Users should not Same Passed 
username and be able to log in 
invalid 
aseword Users should not Same Passed 
ae lid be able to log in 
username and Users should not Same Passed 
valid password be able to log in 
. Invalid Ce 
username and 
invalid 
password 
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Table 3. Hashing module test case 


Test case Test data Expected result Actual Sample screenshot Remarks 
objective result 
Test the CCS032222-1 5c7aldb3bf Same . Passed 
hashing Lina Upton 3c20214469 Hashing, Enexypbon and QR Code generation 
module f04d4f43ca - ein = mn wz 
using a40a11447df Mesage. ip Upon 
different £742aa4 Create hash value, encryption and generate QR 
certificat a 
e ID and Hash Vave 
message Enaypted value 
(name) aE 
Ce) 
a ry Printing of Certificate 
CCS032222-2 £347b7822b Same m Passed 
Jose Davis 537f1c74f3 Hashing, Encryption and QR Code generation 
333058877 eo 
10d6759342b Wesson [is Dav 
6f5b9b5 Create hash value sein and generate QR 
Encrypted value 
Senerated QRCODE 
Settings and Printing 
Certificate design Printing of Certificate 
CCS032222-3 7d0b577323 Same a Passed 
Giovani Cole 382f701340 Hashing, Enaypion and QR Code generation 
850a93466b Date created Tuesday 22 March 2022 
ae696e7729b a 
488920 <= 
CODE 
Encrypted value 


Generated QRCODE 


Settings and Printing 


Certificate design Printing of Certificate 


Table 4 shows the test case created for the Encryption and Decryption Module, the QR Code 
Generation, and the Certificate Verification test cases. The three (3) names and ID combinations used in the 
hashing module were re-used here. From the encrypted hash, the QR code is generated and placed in the 
certificate template. To check the process of decryption, the generated QR from the name was scanned and 
the decrypted name was displayed. As shown in the table, the same name appears in the certificate and the 
displayed decrypted hash except for test data four (4). Test data for sample four (4) was intentionally 
modified to showcase where a copy-pasted QR code will still show the original hash value from the initial 
certificate ID and name combination. This only signifies that modification or editing of a name without 
updating the QR code will be detected and thus can be marked as a fraudulent certificate. Sample screenshots 
were attached to check the comparison. For all input data, the output data is the same indicating that the test 
case was a success. Table 5 displays the Certificate Management module for the three (3) sets of data. These 
certificates can be printed after the placement of QR codes on the certificate template. 
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Table 4. Encryption and decryption, QR code generation, and certificate verification module test case 


Test Sample Screenshot 
Test C Data and Actal 
Objective pe Ka Decrypted Name QR Code Remarks 
Testifa 1. Lina Same Passed 
series of Upton This certificate belongs to:Lina Upton ii 
Hoh Una Upton 
values can cose ar S 
be Deea 
pg iven this 22" day of June 2021 at Tarlac State University. 
an 
decrypted 
without 
errors 
Testifthe 2. Jose Same Passed 
QR code Davis 
is This certificate belongs to:Jose Davis 
correctly Chose 
generated 
from sets 
of 
encrypted 
hash 
values 
Test if 3. Giovanni Same Passed 
printed Cole 
certificates This certificate belongs to:Giovani Cole 
display the Cisse 
correct ocem 
message al Health” heid on June 22, 2021 via Zoom 
(name) on this 22° day of June 2021 at Tarlac State University. 
printed 
certificates i 
4. Test Same CERTIFICATE OF PARTICIPATION 
I$ This certificate belongs to:Lina Upton sans sage Doe Passed 
Doe, the Rie 
decrypte Mental Health” held on June 22, 2021 via Zoom 
d value Given this 22 day of June 2021 at Tarlac State University, 
should 
be Lina 
Upton 
Table 5. Certificate management module test case module 
Test Data 
Test Case and Actual 
Objective Expected Results Sample Screenshot Remarks 
Result 
Test that Certificates Same ě facium aaa some] Passed 
QR codes for Lina = zj 
can be Upton, 
placed on Jose Davis, 
certificate and Republic of the Philippines 
. . TARLACSTATE UNIVERSITY 
templates Giovanni Romulo Boulevard, San Vicente, Tarlac Cy 
and can be Cole This 
printed CERTIFICATE OF PARTICIPATION 
Lina Upton 
| aa 
Mental Health” held on June 22, 2021 via Zoom 
Given this 22™ day of June 2021 at Tarlac State University, 
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3.3. Error rate computation 

The observed value here is the number of correct certificates which is 29 and the actual value refers 
to the number of samples used, in this case, 30 certificates. Out of the 30 samples, one was found incorrect 
leading to an error rate of 3.33%. Computing for accuracy, the document verification system yields a 96.67% 
accuracy. The error was further investigated after a certificate does not exist prompted: 


129-30] 


Error rate = ET x 100% = 3.33 % 


Accuracy = 100% — 3.33% = 96.67% 


Content of the QRCODE that should be generated: 
http://191.192.193.79/?dOFzzTED3yWTMI67 YSH8rmX2u3 | KIfyaZib 1 B/odOwTIGoq!7x2g¢9mtkhKwHOnS 
nW3lIcttxBDN/tt/YNMnyBTw==,Devyn Gleichner 


Content of the QRCODE after generation: 
http://191.192.193.79/2?dOFzzTED3yWTMI67 YSH8rmX2u3 | KIfyaZib 1 B/odOwTIGoq!7x2g¢9mtkhKwHOnS 
nW3lIcttxBD//tt/Y NMnyBTw==,Devyn Gleichner 


The capital letter N has been changed to the caret symbol ^. 


4. CONCLUSION 

A more secured document integrity verification using QR code was designed and developed by 
successfully incorporating a better hashing algorithm-modified SHA-1 and integrating a modern encryption 
algorithm—modified blowfish algorithm. By integrating both, data integrity and data confidentiality is assured 
as compared to previous research. The verification works even if no additional software is installed by using 
the smartphone’s built-in camera making it better than other verification software. The developed software 
has been proven to satisfy all user requirements and is deemed to be acceptable based on the expected and 
actual results using the test data. The software is also deemed highly accurate with an error rate of 3.33%. 
However, to achieve 100% accuracy, the QR code generator dll needs to be further investigated and tested to 
much larger sample size. Exploration of the embedding of the simplest and most economical blockchain 
technology for an educational institution may also be further studied. 
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